Columbus Identifies Protected Health Information from Cyberattack

Published on February 03, 2025

An aerial shot of Columbus City Hall

As part of the City of Columbus’ ongoing investigation into the July cyberattack on the city, a limited amount of protected health information (PHI) for less than 1,000 individuals has been identified in a Division of Fire database as involved in the cyberattack. 

This database contained dispatch and other records of the Division of Fire. A small number of these records include brief notes about emergency medical services (EMS) services that were provided at the location of a Division of Fire call.  The information in these notes was not the same for everyone.  The data may include a combination of individuals’ first and last name, address, date of birth, date of service, and/or brief notes on the EMS service provided. A very small number of Social Security numbers were also contained in the PHI.

It was discovered on December 12, 2024 that the impacted database contained this data that could be considered PHI. The database was then reviewed and analyzed to ascertain the individuals whose PHI was present at the time of the attack. There is no evidence that the Division of Fire’s encrypted electronic medical record (EMR) system that separately holds its treatment records was compromised, nor is there evidence that financial account information was involved. The Division and city are unaware of any actual or attempted misuse of personal information or PHI for identity theft or fraud.

As a result of this review, the Division of Fire will be mailing letters to the individuals whose PHI was contained in the impacted database. These individuals already qualify for two years of free Experian credit and dark web monitoring services, which includes $1 million of protection against fraud and identity theft; they will have 90 days from when the letter is sent to enroll.

As a reminder, this service also remains available through March 31, 2025 to residents and individuals who may have shared their personal information with the City of Columbus. To sign up, go to columbus.gov/cyber. Service begins upon enrollment.

Tonight, Department of Technology Director Sam Orth and representatives from the Dinsmore and Vorys legal teams will brief Columbus City Council in an executive session. Council will also consider Ordinance 0297-2025, which will allow the review of Criminal Justice Information Service (CJIS) data maintained in several of the databases involved in this cyberattack, in support of the ongoing investigation. 

Tagged as:
Back to top